One year ago Microsoft introduced a feature in Hotmail that marked mail from a set of “trusted senders”, primarily banks, with a Trusted Sender icon. The idea was that if mail from your bank was marked with the icon you could trust it, and if mail claiming to be from your bank wasn’t marked then you should be suspicious that it was a phishing attempt. Sadly, this Hotmail feature does not seem to be working. For the financial institutions that I use that are considered trusted senders by Microsoft, less than 25% of the legitimate emails I receive are marked with the Trusted Sender icon. As a result Trusted Sender has absolutely no meaning. For this feature to really work would require that all email from a trusted sender was marked appropriately so that any mail that wasn’t would obviously be a phishing attempt.

I’ve seen nothing new from Microsoft about the Hotmail Trusted Sender program, and it clearly isn’t working after a year of existence. So I have to conclude this feature is all about show and not about actually helping users distinguish between legitimate and phishing email.

The feature requires that the sender be using either SenderID or DKIM, and then Microsoft applies a set of subjective criteria to decide if the mail should be marked as trusted. Those subjective criteria are things like if the domain normally has phishing attempts against it and if the mails are transactional in nature. So I can’t tell if the problem is lack of SenderID/DKIM usage or Microsoft being rather stingy with its use of the Trusted Sender label. On top of that the problems with mail apparently from the same domain being marked on some occasions and not on others is probably the use of different mailers. For example the transactional mail might come directly from a domain and the non-transactional mail from a contract email. Or from different domains altogether (e.g., Schwab vs. Schwab Charitable) although to the user this is splitting hairs. And so we are left without a way to really tell if emails are from who they say they are, and the Trusted Sender label is too intermittent for me (and I suspect anyone else) to pay attention to.

Which brings us to the simple truth that eight years after Bill Gates declared the world would be SPAM Free in two years, it doesn’t feel like we’ve gotten very far. And while Bill was being overoptimisitc, the bottom line is that neither the concept he was counting on to make that real (“payment at risk”), nor any other technology that really changes the economics of SPAM, has been adopted. We have better Black Lists (which actually block most of the world’s SPAM) and employ better filters than we had in 2004, but the improvements are incremental and the breakthroughs absent.